Re: RFR: 8330542: Add jaxp-strict.properties in preparation for a secure by default configuration [v8]
On Thu, 16 May 2024 22:20:39 GMT, Joe Wang wrote: >> Add two sample configuration files: >> >> jaxp-strict.properties: used to set strict configuration, stricter than >> jaxp.properties in previous versions such as JDK 22 >> >>> jaxp-compat.properties: used to regain compatibility from any more >>> restricted configuration than previous versions such as JDK 22 >> >> Updated 5/16/2024 >> >> Design change: >> The design is changed to include in the JDK two configuration files that are >> the default jaxp.properties and jaxp-strict.properties, instead of three, >> dropping jaxp-compat.properties. > > Joe Wang has updated the pull request incrementally with one additional > commit since the last revision: > > remove jaxp-compat.properties from the list Thanks Alan, Erik! Updated accordingly. - PR Comment: https://git.openjdk.org/jdk/pull/18831#issuecomment-2118424649
Re: RFR: 8330542: Add jaxp-strict.properties in preparation for a secure by default configuration [v8]
On Fri, 17 May 2024 05:51:31 GMT, Alan Bateman wrote: >> Joe Wang has updated the pull request incrementally with one additional >> commit since the last revision: >> >> remove jaxp-compat.properties from the list > > make/modules/java.xml/Copy.gmk line 37: > >> 35: JAXPPROPFILE_TARGET_FILES := $(subst >> $(JAXPPROPFILE_SRC_DIR),$(CONF_DST_DIR),$(JAXPPROPFILE_SRCS)) >> 36: >> 37: $(CONF_DST_DIR)/%: $(JAXPPROPFILE_SRC_DIR)/% > > The make file changes to copy the properties files look okay but I'm curious > about why the naming changes from "XML" to "JAXPPROFILE". If we are changing this file, we should modernize it. $(eval $(call SetupCopyFiles, COPY_XML_MODULE_CONF, \ DEST := $(CONF_DST_DIR), \ FILES := $(wildcard $(TOPDIR)/src/java.xml/share/conf/jaxp*.properties*), \ )) TARGETS += $(COPY_XML_MODULE_CONF) - PR Review Comment: https://git.openjdk.org/jdk/pull/18831#discussion_r1604981949
Re: RFR: 8330542: Add jaxp-strict.properties in preparation for a secure by default configuration [v8]
On Thu, 16 May 2024 22:20:39 GMT, Joe Wang wrote: >> Add two sample configuration files: >> >> jaxp-strict.properties: used to set strict configuration, stricter than >> jaxp.properties in previous versions such as JDK 22 >> >>> jaxp-compat.properties: used to regain compatibility from any more >>> restricted configuration than previous versions such as JDK 22 >> >> Updated 5/16/2024 >> >> Design change: >> The design is changed to include in the JDK two configuration files that are >> the default jaxp.properties and jaxp-strict.properties, instead of three, >> dropping jaxp-compat.properties. > > Joe Wang has updated the pull request incrementally with one additional > commit since the last revision: > > remove jaxp-compat.properties from the list make/modules/java.xml/Copy.gmk line 31: > 29: > > 30: # > 31: # Copy property files from share/conf to CONF_DST_DIR LIB_DST_DIR There is no copying to LIB_DST_DIR, so no need to mention it. - PR Review Comment: https://git.openjdk.org/jdk/pull/18831#discussion_r1604983457
Re: RFR: 8330542: Add jaxp-strict.properties in preparation for a secure by default configuration [v8]
On Thu, 16 May 2024 22:20:39 GMT, Joe Wang wrote: >> Add two sample configuration files: >> >> jaxp-strict.properties: used to set strict configuration, stricter than >> jaxp.properties in previous versions such as JDK 22 >> >>> jaxp-compat.properties: used to regain compatibility from any more >>> restricted configuration than previous versions such as JDK 22 >> >> Updated 5/16/2024 >> >> Design change: >> The design is changed to include in the JDK two configuration files that are >> the default jaxp.properties and jaxp-strict.properties, instead of three, >> dropping jaxp-compat.properties. > > Joe Wang has updated the pull request incrementally with one additional > commit since the last revision: > > remove jaxp-compat.properties from the list src/java.xml/share/classes/module-info.java line 443: > 441: * > 442: * > 443: * This file allows deployments to test the more secure/strict behavior, I think it might be better to reduce this paragraph down to just say something like "Deploying with this configuation prevents processors from unknowingly making outbound network connections to fetch DTDs, or process XML that makes use of extension functions." We could say that a future JDK release may use a strict configuration by default but that opens the door to questions as to whether the system property is needed, whether jaxp.propeteries is going away, so maybe better to leave that out for now. - PR Review Comment: https://git.openjdk.org/jdk/pull/18831#discussion_r1604418621
Re: RFR: 8330542: Add jaxp-strict.properties in preparation for a secure by default configuration [v8]
On Thu, 16 May 2024 22:20:39 GMT, Joe Wang wrote: >> Add two sample configuration files: >> >> jaxp-strict.properties: used to set strict configuration, stricter than >> jaxp.properties in previous versions such as JDK 22 >> >>> jaxp-compat.properties: used to regain compatibility from any more >>> restricted configuration than previous versions such as JDK 22 >> >> Updated 5/16/2024 >> >> Design change: >> The design is changed to include in the JDK two configuration files that are >> the default jaxp.properties and jaxp-strict.properties, instead of three, >> dropping jaxp-compat.properties. > > Joe Wang has updated the pull request incrementally with one additional > commit since the last revision: > > remove jaxp-compat.properties from the list src/java.xml/share/conf/jaxp-strict.properties line 9: > 7: # test the more secure/strict behavior, identify issues such as a processor > 8: # unknowingly makes outbound network connections to fetch DTD, or > processes XML > 9: # that relies on extension functions. There isn't a JEP to propose that XML processing be secure by default on the technical roadmap right now so I think this paragraph will need to be tweaked to avoid making any assumptions. I think just say that the file provides the settings for more secure XML processing and drop the text about testing (and "and create your own configuration file for the experiment" from the paragraph below). - PR Review Comment: https://git.openjdk.org/jdk/pull/18831#discussion_r1604405287
Re: RFR: 8330542: Add jaxp-strict.properties in preparation for a secure by default configuration [v8]
On Thu, 16 May 2024 22:20:39 GMT, Joe Wang wrote: >> Add two sample configuration files: >> >> jaxp-strict.properties: used to set strict configuration, stricter than >> jaxp.properties in previous versions such as JDK 22 >> >>> jaxp-compat.properties: used to regain compatibility from any more >>> restricted configuration than previous versions such as JDK 22 >> >> Updated 5/16/2024 >> >> Design change: >> The design is changed to include in the JDK two configuration files that are >> the default jaxp.properties and jaxp-strict.properties, instead of three, >> dropping jaxp-compat.properties. > > Joe Wang has updated the pull request incrementally with one additional > commit since the last revision: > > remove jaxp-compat.properties from the list make/modules/java.xml/Copy.gmk line 37: > 35: JAXPPROPFILE_TARGET_FILES := $(subst > $(JAXPPROPFILE_SRC_DIR),$(CONF_DST_DIR),$(JAXPPROPFILE_SRCS)) > 36: > 37: $(CONF_DST_DIR)/%: $(JAXPPROPFILE_SRC_DIR)/% The make file changes to copy the properties files look okay but I'm curious about why the naming changes from "XML" to "JAXPPROFILE". - PR Review Comment: https://git.openjdk.org/jdk/pull/18831#discussion_r1604383246
Re: RFR: 8330542: Add jaxp-strict.properties in preparation for a secure by default configuration [v8]
> Add two sample configuration files: > > jaxp-strict.properties: used to set strict configuration, stricter than > jaxp.properties in previous versions such as JDK 22 > >> jaxp-compat.properties: used to regain compatibility from any more >> restricted configuration than previous versions such as JDK 22 > > Updated 5/16/2024 > > Design change: > The design is changed to include in the JDK two configuration files that are > the default jaxp.properties and jaxp-strict.properties, instead of three, > dropping jaxp-compat.properties. Joe Wang has updated the pull request incrementally with one additional commit since the last revision: remove jaxp-compat.properties from the list - Changes: - all: https://git.openjdk.org/jdk/pull/18831/files - new: https://git.openjdk.org/jdk/pull/18831/files/f3af4ae9..cf4df792 Webrevs: - full: https://webrevs.openjdk.org/?repo=jdk=18831=07 - incr: https://webrevs.openjdk.org/?repo=jdk=18831=06-07 Stats: 1 line in 1 file changed: 0 ins; 1 del; 0 mod Patch: https://git.openjdk.org/jdk/pull/18831.diff Fetch: git fetch https://git.openjdk.org/jdk.git pull/18831/head:pull/18831 PR: https://git.openjdk.org/jdk/pull/18831
